Protect website source code.Password protection [FAQ]
Can I password protect html files ? How secure
is html password protection?
Yes. There are two types of password protection available - Basic and Ultra-Strong.
To use the Basic protection, just check 'Password protect this page' box, and
in the password configuration window set the password and the action in case
the visitor enters an incorrect password. Of course, this is not a PGP sort of
protection :) , so don't use this feature to protect highly sensitive information.
However, it is practically impossible to extract the password from the encrypted file,
especially if you use the alternative encryption method(for IE 5+ only).
If you need to password protect a highly sensitive information in an extremely
secure way, you have to use the Ultra-Strong password protection. How to do this
is
explained here.
Can I encrypt ASP files?
Yes. HTML Guardian provides two encryption methods
for .ASP files - Standard and Enhanced.
A comparison between them you can read in the "Protecting
ASP files" section of the Help file. In Standard mode,
by default HTML Guardian will only encrypt the server-side parts of
the code for .asp files, but you can encrypt parts of the client-side
html and script code as well.
Server-side code is not visible to the web site visitors if they view the page
source or save the .asp file to disk. But it is what takes most of the time and
efforts when you develop asp solutions. So this option can be very useful if
you need to give the asp source to some third parties - they can test what you've
done on their server, but can't steal your source. In general, it is a good idea
to encrypt .asp files even if you don't give them to anyone - this will protect
your work if someone for example knows your password and can have ftp access
to your server. There are also several bugs in Microsoft's asp server that make
possible a knowledgable person to retrieve the real source code of your .asp
files if the asp server security is not well configured. In most cases the asp server
configuration is done by somebody else and you can't know if it's vulnerable
to such attempts - so it's always better to protect your asp source code.
In Enhanced mode, HTML Guardian encrypts asp files and
the client side code in the server's response entirely. Some other features are
also only available in Enhanced mode.
Password protection is not available for .asp files in the current version of the program.
Which protection method I should use? What's
the difference?
If you use the default method (for 'All' browsers), the encrypted
files will work in all the available browsers. If you use the alternative method
for IE5+ only, encrypted files will be properly displayed only in Internet
Explorer 5.0 or higher.
The default method uses standard javascript for encryption. The alternative method
uses some features available in Internet Explorer 5.0 or higher only.
The alternative encryption method for IE5+ is faster and more secure, it is practically
impossible to be cracked. Many web designers create a separate version of their
sites for each browser. In this case you can encrypt the IE version of your site
using the alternative method, and use the default method for others. The alternative
method can be also used if you create files for internal use, because IE is the
standard browser for almost all organizations. It's also suitable if you create
files which will be used offline, like e-books or manuals in html or chm format.
We suggest that you use HTML Guardian's
Site Manager. It will encrypt your site(or any set of files that
reside in one folder) both for 'All' and 'IE5+' browsers and will generate a
file which will redirect the visitors to the appropriate encrypted version of
your files depending on the browser used. This way people that use IE 5 or higher(now
about 95 % of all web users) will see the files encrypted for IE 5+ browsers,
and the rest will see the files encrypted with the default method (for 'All'
browsers).
Do I need to use all protection options
available? What's the recommended set of options?
Of course, you don't have to use all options together. Some
of them we added in HTML Guardian because they were requested by our corporate
customers, and are not always needed. There is no recommended set of options,
use those you find appropriate. However, we suggest that you always disable
right click for html files.
I don't want my site to be visited with
certain browsers. Is it possible to deny access to my site if it is visited
with certain browsers?
Yes, you can. You should create a browser detection script
for that. The best way is to put this script in a separate .js file, let's
say brwsr_detect.js
Then you should add a reference to this script in each of your html files like
this
<script src='brwsr_detect.js'></script>
The above line should be included in the HEAD section of all your files for which
you want to detect the browser.
Below is a very simple browser detection script( there are much better examples available
on the web which can detect the browser build, the OS, the browser support for
different plug-ins and many other things):
if(document.all&&!document.getElementById){brwsr='ie4'}; // Internet
Explorer 4.x
if(document.all&&document.getElementById){brwsr='ie5'}; // Internet
Explorer 5.0 or higher
if(document.layers){brwsr='nn4'}; // Netscape 4.x
if(window.sidebar){brwsr='nn6'}; // Netscape 6.x
if(navigator.userAgent.toLowerCase().indexOf('opera')>=0){brwsr='opera'}; // Opera
// alert(brwsr)
Now let's say you don't want your site to be visited by Opera browsers - you
should include a line like this in the script:
if(brwsr=='opera'){document.location='error.htm'};
This will redirect Opera browsers to the error.htm page (you should create it).
It may say something like
'This site can't be viewed with your browser. Internet Explorer 5+ or Netscape
6+ is required'
Netscape's 4.x implementation of javascript is awful - the above script may not
work in some Netscape 4.x versions. If you don't want your site to be visited
by Netscape 4.x browsers, it's better to include this in each page or at least
in your main page (not as a .js file but directly in the html source, HEAD section):
<script>if(document.layers){document.location='error.htm'}</script>
List of supported file types.
HTML Guardian can directly protect the files of the following
types:
*.htm / *.html / *.shtm / *.shtml / *.stn / *.asp / *.js / *.vbs / *.css / *.php/
*.inc (.inc files are always treated as asp includes).
If Image Guardian is enabled, you can also protect the images in the following
formats:
*.jpg / *.gif (but not animated gif's) / *.bmp
No other file types are currently supported. HTML Guardian can not directly protect
files in a format different than the ones listed above(like .cfm , .jsp, .swf,
.png, .wav, .class, .jar, .cab or any other file type that may be used in your
website). By encrypting the source code HTML Guardian will make unauthorized
copying of most files of unsupported types much harder, but it will not modify
them in any way.
Changing the extension of any file of an unsupported type to spoof HTML Guardian
is not recommended and may have undesired results.
Note that you can only password protect html / shtml / php files. Files of other
types can't be encrypted with a password.HTML Guardian can't protect folders,
only files.
|